We claim: 



1 1 . A system for securely providing biometric input from a user, comprising: 

2 a biometric sensor; 

3 a security component which provides security functions, such that the security component 

4 can vouch for authenticity of components with which it is securely operably connected; 

5 a card containing stored secrets and stored identifying information pertaining to an 

6 authorized holder of the card; 

7 a card reader for accessing the stored secrets and stored identifying information; 

8 means for operably inserting the card into the card reader; and 

^ means for securely operably connecting the biometric sensor, the card reader, and the 

Ifr security component. 

5[ 2. The system according to Claim 1, wherein the stored identifying information comprises 

stored biometric information of the authorized holder, and further comprising means for 

^ comparing biometric information obtained with the biometric sensor from a user of the system, to 

4 the stored biometric information of the authorized holder. 

1 3 . The system according to Claim 1 , wherein selected ones of the secure operable 

2 connections are made using one or more buses of the security component. 
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1 4, The system according to Claim 1, wherein selected ones of the operable connections are 

2 made using a wireless connection between respective ones of the components and the security 

3 component. 

1 5, The system according to Claim 4, wherein the wireless connections use Secure Sockets 

2 Layer (SSL) data encryption or an equivalent which provides mutual authentication of both 

3 endpoints, negotiation of a time-limited key agreement with secure passage of a selected 

4 encryption key, and periodic renegotiation of the time-limited key agreement with a new 

5 encryption key. 

5^ 6. The system according to Claim 1, wherein selected ones of the secure operable 

$ connections are provided when the security component is manufactured. 

P 7. The system according to Claim 1, wherein the components comprise one or more of (1) 

i ■ input/output components and (2) appUcation processing components. 

1 8. The system according to Claim 1, wherein the means for securely operably connecting 

2 further comprises means for authenticating the biometric sensor and the card reader to the 

3 security component. 
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9. The system according to Claim 8, further comprising means for authenticating the security 
component to the biometric sensor and the card reader. 
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1 10. The system according to Claim 1, wherein the means for securely operably connecting is 

2 activated by a hardware reset of the component, and wherein the hardware reset is activated by 

3 operably connecting of the component. 

1 1 L The system according to Claim 8, wherein the means for authenticating the biometric 

2 sensor and the card reader are securely stored thereon, 

1 12, The system according to Claim 8, wherein the means for authenticating ftirther comprises 

2 means for using public key cryptography. 

13. The system according to Clahn % forther comprising means for condudmg that the user is 

2p the authorized holder of the card only if the means for comparing succeeds. 

T 14. The system according to Claim 1 , wherein the card is a smart card. 

1 15. The system according to Claim 2, wherein the stored secrets comprise a private key and a 

2 public key which are cryptographically related using public key cryptography, and further 

3 comprising means for digitally signing information presented to the card with the private key if the 

4 means for comparing succeeds and if the biometric sensor, the card reader, and the security 

5 component remain securely operably connected. 
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1 16. The system according to Claim 2, wherein the means for comparing is performed by the 

2 biometric sensor. 

1 17. The system according to Clam 16, further comprising means for securely transferring the 

2 stored biometric information of the authorized holder to the biometric sensor for use by the means 

3 for comparing. 

1 18. The system according to Claim 17, further comprising means for interrupting the secure 

2 transfer if the biometric sensor, the card reader, and the security component are no longer 
i^J securely operably connected. 

£ 19. The system according to Claim 2, wherein the means for comparing is performed by the 

1 security component. 

M 20. The system according to Claim 1 5, further comprising means for securely operably 

2 connecting an application processing component to the security component, and wherein the 

3 information presented to the card is generated by the securely operably connected application 

4 processing component. 

1 21 . The system according to Claim 8, wherein the means for authenticating further comprises 

2 means for performing a security handshake between the biometric sensor and the security 

3 component and between the card reader and the security component. 
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1 22. The system according to Claim 21 , wherein the biometric sensor and the card reader each 

2 have associated therewith: a unique device identifier that is used to identify data originating 

3 therefrom, a digital certificate, a private cryptographic key and a public cryptographic key that is 

4 cryplographically-associated with the private cryptographic key. 

1 23 . The system according to Claim 8, wherein: 

2 the means for authenticating the biometric sensor fiirther comprises means for using (1) a 
3^ first unique identifier of the biometric sensor, (2) a first digital signature computed over the first 
fj unique identifier using a first private cryptographic key of the biometric sensor, and (3) a first 

public key that is cryptographically associated with the first private key; and 
^; the means for authenticating the card reader fiirther comprises means for using (1) a 

second unique identifier of the card reader, (2) a second digital signature computed over the 

IC second unique identifier using a second private cryptographic key of the card reader, and (3) a 

^ second public key that is cryptographically associated with the second private key. 

1 24. A card which contains one or more previously-stored secrets of an authorized holder of 

2 the card and which has a biometric sensor embedded on a surface thereof 

1 25 . The card according to Claim 24, wherein the biometric sensor is a fingerprint sensor, and 

2 wherein the previously-stored secrets include a fingerprint of the authorized card holder. 
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1 26, The card according to Claim 24, wherein the biometric sensor is a palm print sensor, and 

2 wherein the previously-stored secrets include a palm print of the authorized card holder. 

1 27. The card according to Claim 24, wherein the biometric sensor is a voice print sensor, and 

2 wherein the previously-stored secrets include a voice print of the authorized card holder, 

1 28. The card according to Claim 24, wherein the biometric sensor is a retina scanner, and 

2 wherein the previously-stored secrets include a retina scan of the authorized card holder. 

jO 29. The card according to Claim 24, wherein the biometric sensor is a skin chemistry sensor, 

2rJ and wherein the previously-stored secrets include a skin chemistry of the authorized card holder. 

1 30. The card according to Claim 24, wherein the previously-stored secrets include stored 

{f biometric information of the authorized holder, and further comprising means for comparing 

M biometric information that is obtained with the biometric sensor from a user, to the stored 

4 biometric information of the authorized holder. 

1 31. The card according to Claim 30, forther comprising means for accessing selected ones of 

2 the previously-stored secrets only if the means for comparing determines that the obtained 

3 biometric information of the user matches the stored biometric information of the authorized 

4 holder. 
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1 32, The card according to Claim 3 1 , wherein the previously-stored secrets include a private 

2 cryptographic key of the authorized holder, and wherein the means for accessing fiirther 

3 comprising means for accessing the private key to compute a digital signature over information 

4 presented to the card. 

1 33, A computer program product for securely providing biometric input from a user, the 

2 computer program product embodied on one or more computer-readable media and comprising: 

3 computer-readable program code means for operating a biometric sensor; 

4 computer-readable program code means for operating a security component which 
provides security functions, such that the security component can vouch for authenticity of 

^1 components with which it is securely operably connected; 

computer-readable program code means for accessing a card containing stored secrets and 
8 stored identifying information pertaining to an authorized holder of the card; 

computer-readable program code means for operating a card reader for accessing the 
li^ stored secrets and stored identifying information; 

1 f computer-readable program code means for detecting and responding to an operable 

12 insertion of the card into the card reader; and 

13 computer-readable program code means for securely operably connecting the biometric 

14 sensor, the card reader, and the security component. 
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34. The computer program product according to Claim 33, wherein the stored identifying 
information comprises stored biometric information of the authorized holder, and ftirther 
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3 comprising computer-readable program code means for comparing biometric information 

4 obtained with the biometric sensor from a user of the system, to the stored biometric information 

5 of the authorized holder, 

1 35, The computer program product according to Claim 33, wherein selected ones of the 

2 secure operable connections are made using one or more buses of the security component, 

1 36. The computer program product according to Claim 33, wherein selected ones of the 

2 operable connections are made using a wireless connection between respective ones of the 
$0 components and the security component. 

37, The computer program product according to Claim 36, wherein the wireless connections 

2 use Secure Sockets Layer (SSL) data encryption or an equivalent which provides mutual 

authentication of both endpoints, negotiation of a time-limited key agreement with secure passage 

^ of a selected encryption key, and periodic renegotiation of the time-limited key agreement with a 

5 new encryption key. 

1 38. The computer program product according to Claim 33, wherein selected ones of the 

2 secure operable connections are provided when the security component is manufactured. 
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39, The computer program product according to Claim 33, wherein the components comprise 
one or more of (1) input/output components and (2) application processing components, 
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40. The computer program product according to Claim 33, wherein the computer-readable 
program code means for securely operably connecting fiirther comprises computer-readable 
program code means for authenticating the biometric sensor and the card reader to the security 
component, 

41. The computer program product according to Claim 40, ftirther comprising 
computer-readable program code means for authenticating the security component to the 
biometric sensor and the card reader. 

42. The computer program product according to Claim 33, wherein the computer-readable 
program code means for securely operably connecting is activated by a hardware reset of the 
component, and wherein the hardware reset is activated by operably connecting of the 
component. 

43. The computer program product according to Claim 40, wherein the computer-readable 
program code means for authenticating the biometric sensor and the card reader are securely 
stored thereon. 

44. The computer program product according to Claim 40, wherein the computer-readable 
program code means for authenticating fiirther comprises computer-readable program code means 
for using public key cryptography. 
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1 45. The computer program product according to Claim 34, fiirther comprising computer- 

2 readable program code means for concluding that the user is the authorized holder of the card 

3 only if the means for comparing succeeds. 

1 46. The computer program product according to Claim 33, wherein the card is a smart card. 

1 47. The computer program product according to Claim 34, wherein the stored secrets 

2 comprise a private key and a public key which are cryptographically related using public key 

30 cryptography, and further comprismg computer-readable program code means for digitally signing 

4.! information presented to the card with the private key if the computer-readable program code 

^ means for comparing succeeds and if the biometric sensor, the card reader, and the security 

^ component remain securely operably connected. 

fi 48. The computer program product according to Claim 34, wherem the computer-readable 

f program code means for comparing is performed by the biometric sensor. 

1 49. The computer program product according to Claim 48, forther comprising computer- 

2 readable program code means for securely transferring the stored biometric information of the 

3 authorized holder to the biometric sensor for use by the computer-readable program code means 

4 for comparing. 
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50. The computer program product according to Claim 49, further comprising computer- 
readahle program code means for interrupting the secure transfer if the biometric sensor, the card 
reader, and the security component are no longer securely operably connected. 



1 51. The computer program product according to Claim 34, wherein the computer-readable 

2 program code means for comparing is performed by the security component. 

1 52. The computer program product according to Claim 47, fiirther comprising computer- 

2 readable program code means for securely operably connecting an application processing 
30 component to the security component, and wherein the information presented to the card is 
-Cl generated by the securely operably connected application processing component. 

1 53 , The computer program product according to Claim 40, wherein the computer-readable 

program code means for authenticating forther comprises computer-readable program code means 

M for performing a security handshake between the biometric sensor and the security component and 

f between the card reader and the security component. 

1 54. The computer program product according to Claim 53, wherein the biometric sensor and 

2 the card reader each have associated therewith: a unique device identifier that is used to identify 

3 data originating therefi*om, a digital certificate, a private cryptographic key and a public 

4 cryptographic key that is cryptographically-associated with the private cryptographic key. 
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1 55. The computer program product according to Claim 40, wherein: 

2 the computer-readable program code means for authenticating the biometric sensor further 

3 comprises computer-readable program code means for using (1) a first unique identifier of the 

4 biometric sensor, (2) a first digital signature computed over the first unique identifier using a first 

5 private cryptographic key of the biometric sensor, and (3) a first public key that is 

6 cryptographically associated with the first private key; and 

7 the computer-readable program code means for authenticating the card reader further 

8 comprises computer-readable program code means for using (1) a second unique identifier of the 

9 card reader, (2) a second digital signature computed over the second unique identifier using a 
icfl second private cryptographic key of the card reader, and (3) a second public key that is 

1 K cryptographically associated with the second private key, 

i 56. A method of securely providing biometric input fi-om a user, comprising steps of 

^ operating a biometric sensor; 

Operating a security component which provides security fijnctions, such that the security 

4 component can vouch for authenticity of components with which it is securely operably 

5 connected; 

6 accessing a card containing stored secrets and stored identifying information pertaining to 

7 an authorized holder of the card; 

8 operating a card reader for accessing the stored secrets and stored identifying information; 

9 detecting and responding to an operable insertion of the card into the card reader; and 
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10 securely operably connecting the biometric sensor, the card reader, and the security 

1 1 component. 

1 57. The method product according to Claim 56, wherein the stored identifying information 

2 comprises stored biometric information of the authorized holder, and forther comprising the step 

3 of comparing biometric information obtained with the biometric sensor from a user of the system, 

4 to the stored biometric information of the authorized holder, 

1 58. The method according to Claim 56, wherein selected ones of the secure operable 
fi connections are made using one or more buses of the security component, 

2 59, The method according to Claim 56, wherein selected ones of the operable connections are 
1 made using a wireless connection between respective ones of the components and the security 

component. 

1 60. The method according to Claim 59, wherein the wireless connections use Secure Sockets 

2 Layer (SSL) data encryption or an equivalent which provides mutual authentication of both 

3 endpoints, negotiation of a time-limited key agreement with secure passage of a selected 

4 encryption key, and periodic renegotiation of the time-limited key agreement with a new 

5 encryption key. 
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1 61 . The method according to Claim 56, wherein selected ones of the secure operable 

2 connections are provided when the security component is manufactured. 

1 62. The method according to Claim 56, wherein the components comprise one or more of (1) 

2 input/output components and (2) application processing components. 

1 63 . The method according to Claim 56, wherein the step of securely operably connecting 

2 further comprises the step of authenticating the biometric sensor and the card reader to the 
\ security component. 

% 64. The method according to Claim 63, forther comprising the step of authenticating the 

i security component to the biometric sensor and the card reader. 

if 65 . The method according to Claim 56, wherein the step of securely operably connecting is 
S activated by a hardware reset of the component, and wherein the hardware reset is activated by 

3 operably connecting of the component. 

1 66. The method according to Claim 63, wherein instructions for authenticating the biometric 

2 sensor and the card reader are securely stored thereott. 
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67. The method according to Claim 63, wherein the step of authenticating fiirther comprises 
the step of using public key cryptography. 
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1 68. The method according to Claim 57, further comprising the step of concluding that the user 

2 is the authorized holder of the card only if the comparing step succeeds. 

1 69. The method according to Claim 56, wherein the card is a smart card. 

1 70. The method according to Claim 57, wherein the stored secrets comprise a private key and 

2 a public key which are cryptographically related using pubhc key cryptography, and forther 

3 comprising the step of digitally signing information presented to the card with the private key if 

4 the step of comparing succeeds and if the biometric sensor, the card reader, and the security 
5D component remain securely operably connected. 

P 71. The method according to Claim 57, wherein the step of comparing is performed by the 

2 biometric sensor. 

f ! 72. The method according to Claim 7 1 , further comprising the step of securely transferring the 

2 stored biometric information of the authorized holder to the biometric sensor for use the step of 

3 comparing. 

1 73. The method according to Claim 72, further comprising the step of interrupting the secure 

2 transfer if the biometric sensor, the card reader, and the security component are no longer 

3 securely operably connected. 
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1 74. The method according to Claim 57, wherein the step of comparing is performed by the 

2 security component. 

1 75. The method according to Claim 70, further comprising the step of securely operably 

2 connecting an application processing component to the security component, and wherein the 

3 information presented to the card is generated by the securely operably connected application 

4 processing component. 

1 76. The method according to Claim 63, wherein the step of authenticating forther comprises 

the step of performing a security handshake between the biometric sensor and the security 

^ component and between the card reader and the security component. 

i 77. The method according to Claim 76, wherein the biometric sensor and the card reader each 

^ have associated therewith: a unique device identifier that is used to identify data originating 

I? therefi-om, a digital certificate, a private cryptographic key and a public cryptographic key that is 

4 cryptographically-associated with the private cryptographic key. 

1 78. The method according to Claim 63, wherein: 

2 the step of authenticating the biometric sensor fiirther comprises the step of using (1) a 

3 first unique identifier of the biometric sensor, (2) a first digital signature computed over the first 

4 unique identifier using a first private cryptographic key of the biometric sensor, and (3) a first 

5 public key that is cryptographically associated with the first private key; and 
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the step of authenticating the card reader further comprises the step of using (1) a second 
unique identifier of the card reader, (2) a second digital signature computed over the second 
unique identifier using a second private cryptographic key of the card reader, and (3) a second 
public key that is cryptographically associated with the second private key. 
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